Research shows most consumers never change their online passwords

Earlier this year, identity verification and fraud prevention firm IDology conducted a survey of U.S. consumers focusing on their concerns about online fraud and data security. While worries that personal information could be compromised came as no surprise, the study also disclosed a significant disconnect between what bothers consumers and what they’re willing to do about it: 45 percent of respondents said they write their passwords down (almost always on some sort of device that can be hacked) and 73 percent never change them.

“That surprised us,” says Christine Luttrell, IDology’s vice president of client solutions, product and marketing, “especially with all the publicity about account takeovers and data breaches and so on. There’s something on the news about this practically every day. We see it, and we thought all this awareness would give rise to a higher level of caution. But we were wrong. People are still not changing their passwords.”

Luttrell attributes much of this to sheer human nature. People don’t like to change their habits, and they tend to avoid doing so until something personally impacts them.

BAD INFORMATION

Jim Van Dyke, an expert on digital security who helped shape the IDology study, offers other explanations. “Some of the so-called research findings put out by the information security community have been very harmful in accurately positioning how consumers view security,” he says.

“It’s like a Jimmy Kimmel routine. First they ask, ‘Do you care about security?’ and the subject says, ‘Yes, I do.’ Then they ask, ‘Would you sell me your Social Security number for five dollars?’ They’ll always find somebody who says yes, at which point the info security company turns around and says, ‘See? It’s hopeless. All you can do is protect the network or the server.’”

Van Dyke suggests another reason people say they are worried about security — and yet also practice bad password habits — is that they are given bad password advice. “Like you should have a different password for each account, eight characters or more, upper and lowercase, special characters,” he says.

“Every password should be unique. The average person might have 50, 60 or 70 passwords to keep track of and, of course, you should never write them down. Einstein couldn’t do that, let alone your average shopper. What you wind up with is two bad choices: either you ask the consumer to do nothing — witness the 73 percent who never change their password — or you ask them to do something impossible.”

PASSWORD MANAGEMENT

It’s not impossible, of course. As Luttrell points out, people can use a password manager — a software tool that helps generate and retrieve the kind of complex passwords Van Dyke was referring to.

Essentially, a password manager is an encrypted database; depending on its design and functionality, it can either live on the user’s device or out on the cloud somewhere. The cloud option is popular because it can be accessed from anything that can reach the internet, i.e. a smartphone, and because it reduces the risk of losing passwords through theft from or damage to a device.

A disadvantage of the cloud option, however, is trusting that the hosting site itself has not been hacked, and that there isn’t a keylogger on the device used to access passwords. Keyloggers, programs that (covertly, as a rule) record every keystroke on a target device, were originally developed to enable employers to observe employees to make certain they weren’t using company computers for unauthorized or time-wasting activities. They are now, however, primarily used by criminals for stealing passwords.

Consumers expect their data to be safe in the hands of a retailer or other business. On the other hand, what they really value the most is ease: a frictionless transaction.

There are countermeasures alert users can take to make certain — or at least to try to make certain — that password managers are unhacked and passwords are safe. Properly used and vigilantly double-checked, using a password manager is vastly more secure than using the same password over and over or writing it down somewhere.

WHOSE RESPONSIBILITY?

The professionals do it. Luttrell is a 20-plus-year veteran of the digital security and data industry who changes her passwords regularly and uses a password manager. But she acknowledges that getting consumers to take complex security steps can be challenging, particularly if you’re a retailer trying to build a customer base.

It’s true that most respondents to the IDology study expressed concern about security and ranked it high in importance when opening a new online account. “However,” Luttrell says, “almost one in three of the consumers we surveyed — 31 percent — said they’d abandoned the process of opening a new account because it was too difficult or took too long.”

What this appears to mean, she says, is that consumers do take digital security seriously; they expect their data to be safe in the hands of a retailer or other business. On the other hand, what they really value the most is ease: a frictionless transaction. For that to happen, the merchant is going to have to do most of the work and virtually all the explaining.

MIXING TRUTH AND REASSURANCE

Which they need to do well. “People need to go beyond the normal assurances of, for example, saying they have military-grade encryption,” Van Dyke says. “What in the world does that mean to a consumer? They need to find simple ways of explaining how they’ll use their information and why verification is important. What you need — I don’t mean to make this sound easy, because it’s very difficult — is to have the right blend: a concise message that tells people the truth and also provides reassurance. Every time you ask for something, let the customer know you’re doing it in their own best interest.”

To avoid getting into a complicated password situation, the merchant might ask a customer a couple of identity authentication questions as part of the account-opening routine. Then when something out of the ordinary occurs — a customer making a first-time purchase, making a higher dollar-value purchase than usual or ordering from a new device — it should trigger the back-end system to ask them an additional question about their identity.

The goal is to integrate security into knowing the customer and making them feel known. “Identity is really a core component of the customer experience,” Luttrell says. “It’s important to the online merchant, and it’s important to the consumer. And they want to know about it. If you have a really solid identity verification solution, and you use it well and explain it carefully, it’s going to do nothing but increase your customer acquisition rate.”

Peter Johnston is a freelance writer and editor based in the New York City area.